Intro
Phishing emails… we all know how abundant they are in our daily inboxes. Most are easy to spot, and while AI has recently revolutionized phishing tactics, this article uncovers a story that wasn’t AI-driven, but still quite clever.
In my daily IT life, dealing with questions about whether an email is phishing is nothing out of the ordinary. Sometimes, I have to dig deeper; especially when a phishing email tricks a user into logging into a fake website, resulting in stolen credentials or session tokens.
This week, I was pulled into investigating something more intriguing. The setup was basic, but the phisher’s approach was surprisingly uncommon.
How It Got Noticed
A client called with concerns about a suspicious email that looked very legitimate, it even included the actual conversation from previous correspondence. The email asked the recipient, in this case someone from the finance department, to change the bank account details from a Belgian account to a UK one. That raised some red flags.
At first glance, everything seemed fine. But upon closer inspection, almost requiring a magnifying glass, we spotted a typosquatted domain. The difference? A subtle switch from “m” to “rn”. We thought we had it figured out and assumed it was just a clever attempt. But then came the real question: how did the attacker get access to the previous conversations and contact list?
That’s when we dug deeper.
Digging Deeper
Our initial assumption was that the sender’s email account had been compromised. We decided to inspect suspicious login attempts on the client’s Microsoft 365 tenant. It didn’t take long to find some odd entries, all logins originating from Lagos, Nigeria. The client confirmed the user wasn’t traveling, so we immediately initiated post-phishing protocols: blocking the account, logging out all sessions, resetting the password, and checking mail rules.
And there it was: a mail rule silently redirecting this exact phishing email to the archive folder.
Now it was clear how the phisher had been gathering information and crafting highly targeted emails.
Having a phisher lurking in your inbox for an extended period makes it easy for them to create the perfect bait. They even went as far as registering a typosquatted domain. If the finance department had updated the bank account details based on that email, it could have taken weeks to detect, and the financial damage would have been significant.
Preventing This in the Future
End-user training is a good starting point, but it’s low-hanging fruit. While it raises awareness, it often results in information overload for non-technical users. It can help prevent the most obvious phishing attempts, but as AI continues to evolve, more robust measures are needed.
In this case, MFA was already enabled, so I won’t suggest it again, it should be a default everywhere. What I do recommend is one of Microsoft’s newer features: Token Protection, included in the Business Premium license. Since modern phishers aim to steal session tokens, this Conditional Access policy adds a critical layer of defense.
Learn more about Token Protection
Additionally, implementing Conditional Access policies for impossible travel and high-risk user blocking can prevent further successful logins until the issue is resolved.
Set up risk policies here
I would love to hear your thoughts and suggestions on how to tackle the more advanced phishing threats.